After getting target’s IP address, type the address on the browser and see if it has any default web page. The website is simply showing login page. Let’s gather more information with enumeration and scanning tools

There’re other tools that you can install and use it to find exploit such as Searchsploit or Findsploit “https://www.exploit-db.com/searchsploit/&#8221;, if you prefer details information about exploit, CVE or Exploit-DB website would be better

4. Download vulnerable /exploitable source code
Since it’s apache access, can’t download the files on /root or /home, so we hav to find the directory where the apache can access to with “find” command

To signup the ‘Hack the Box’ website needs to find “invite code”.
First, find the missing/hidden information on the page. You can easily edit HTML elements with developer tools, which will show on your browser by pressing key F12.

You can see the token value is changing whenever refreshing the page. Sadly, token value is not the invite code.

Secondly, find the function, active javascript which generate the invite code.
On [Inspector] tab, you can see javascript codes, the problem is which one? Let’s find out.

It’s showing data, but when i decode this data (via https://www.base64decode.org/) (SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl) with base64, its showing “In order to generate the invite code, make a POST request to /api/invite/generate”.

Started at 20th Oct and ended on 22nd. Unlike other CTF that you can easily submit flag value on web, PWN2WIN 2017 CTF ask us to submit flag value via github. So we spent 2 or 3 hours to setup that environment (getting ssh, getting team’s key..) but it was fun!!

For CTF questions, you can see ranking real-time and total solves; which shows how many people find the flag. I’m web and programming part on our team, but as we already know lot of CTF’s web pretty damm hard. So I started with the easy question such as g00d_b0y..

Simply solved by checking the bottom page of PWN2WIN 2017 rule ; https://pwn2win.party/rules/?lang=en; you can find the flag!!

2. Great Cybernetic Revolution (Read first)

You see.. when people see “read first” sign, they usually read long long story because of the sign!!. I was one of them LOL and spent couples of min to find “mission”. But yeah, you can find the flag in the story… It was fun to read tho 😀

3. Sum (Hello World Platform)

looks like after connecting to the server with specific port, it gives us bunch of information regarding to the certificate.

2. Edit input type and attributes
You can easily change input’s attributes to type more than 15 characters or numeric or special letters.

In this example, I delete “pattern” and change maxsize as “155”.

3. Try XSS and see if it’s working!! or Find another validation
After editing SiteName’s input attributes, we can type basic XSS such as . But some reasons, it’s not showing alert message on the page. It’s literally recognized as letters and typed into the webpage. Which easily means that there’s another input validation in this webpage besides than input attributes.

Let’s check out the linked javascript to find input-validation. There’re four different javascripts on this webpage.

It seems obvious to find ex1.js have input validation. (name is obvious and you can easily find the trim().replace(<) part also).

replace(/A/,B) means replacing A into B. ‘g’ stands for global which causes replace-call to all matching not just first one. So the source means change “<” into “<“. “<” is HTML encoded characters for “<“.

There’re two types of File Inclusion Attack, LFI(Local File Inclusion) and RFI(Remote File Inclusion). LFI is including files that already located in webserver -> which uses lots of directory traversal keywords (../../).

RFI is including file remotely from other domain. If you have your own server and has malicious php file on it(eg.https://hackerwebserver.com/attack.php) , you can directly include that file path into target website to loads that file.

1) DVWA : File Inclusion Attack – Low

This is the source of file inclusion on DVWA. As you can see, there’s no input validation on low-level security in DVWA.

For LFI attack, you can easily go to other directory by typing ../../../../ *if you have hard time finding out directory path, you can use web application crawlers.

For RFI attack, you can easily put different website url after ‘page=’ on URL. Just like the image below, you can see the new page is loaded if you change last part of URL into ‘page=https://google.com’.

Which means if you have malicious php file, you can put the file path on URL and load it to page.

You can easily make malicious(bind or reverse shell) php file and loads that file from victim’s web browser with Metasploit(msfconsole or msfvenom) . First, start metasploitable

2) DVWA : File Inclusion Attack – Medium

The difference between low level and medium level is that there’s input validation, which is simply blocking http:// and https://. This input validation can be exploited by using lower and upper case or write down more words. eg. HtTp:// ,hhttp://ttp://

For LFI, ../../ directory traversal keywords are still valid to use this website, so we can use same words that we used from low level.

3) DVWA : File Inclusion Attack – High

1) Reflected XSS
XSS, Cross site scripting attack is also a type of injection. Attacker uses malicious browser side script to send malicious code to web application users. Most popular XSS is ‘< script >’, you can also inject script with body, onmouseover, img ,etc.

For low level DVWA CSRF, you can easily change password without login to website. After viewing page source code, you can see the values(new password and password_conf(confirm new password value)) are sent via GET method.

First, Create your own html source which has same form action to change password.

Second, change action=”” part and type password value. To make this source code(eg. csrf_test.html) send GET value to actual website(DVWA website) you need to put the form action value as “http://127.0.0.1/dvwa/vulnerabilities/csrf/?&#8221; instead of “# “.

Also assign the value(in this example, this would be ‘csrfdone’) of password_new and password_conf to change the password without loging on to website.

Finally, click Change button and the page will redirect to dvwa csrf page, and give you ‘password change’ result!!!

1. DVWA (Low) – Brute Force
Brute force is password attack, which tries every possible words till it finally finds the right password. This attack method might be useful if the password is only made with English letters or numbers. (But as we all know, lot of people start to create their password with special characters or numbers etc.)

One more advanced attack is dictionary attack, which uses password dictionary(wordlists of characters that people use often as a password;

Back to DVWA, to brute force, there’re well-known tools like Hydra, Patator, etc. To use a tool for web brute force attack, we can’t just directly try all possible password to live server(it will lock the account out or time relay). So we are using another tool, called BurpSuite to intercept the login request and change it.

You need to set up a internet browser’s proxy setting to localhost:8080. For IceWeasel, you can go to [Edit] tab menu > [Preferences] > [Connection Settings]. Check Manual proxy configuration part and type localhost or 127.0.0.1

Then setup BurpSuite Proxy Listeners to 127.0.0.1:8080 on [Proxy]>[Options]>[Proxy Listeners].

HTTP has two well-known method; GET and POST. GET method gets a file or information. Post method is used when you post data like inputting contents into a board.

Command injection is an attack, which an attacker inputs malicious command and run it on a target. SQL injection uses SQL query but Command injection use system command such as ifconfig or whoami etc.

*cf command
A | B (whether A is true or not, B starts)
A ; B (whether A is true or not, B starts)
A || B (If A is fail, then B starts)
A && B (If A is true, then B starts)

In DVWA Command injection (security level:Low), if you type ‘192.168.0.25; ls’ on Enter an IP address part, (whether ping 192.168.0.25 is true or not, it will tun ls command after ‘;’) you can see ‘ls’ command shows result after ping result.

2. DVWA (Medium) – Command Injection

In DVWA Command Injection (security level:Medium),

You can see the difference between low and medium is there’s black list on ‘; and &&’. So if you type ‘192.168.43.43|ls’, you can still see the result.

4. Go to web browser and type 127.0.0.1 to see if the server is running.
**If you are using old version of Kali, the default browser path will be /var/www not /var/www/html. So, if you couldn’t find html on your kali’s var/www location. You can locate DVWA folder on www and type url as 127.0.0.1/DVWA/login.php or 127.0.0.1/DVWA/setup.php.

In this case, I rename the DVWA folder as dvwa lowercase. so the path will be ‘127.0.0.1/dvwa/login.php’. It will redirect to setup.php to create/reset database.

Click the Create/ Reset Database button and click login link.

5. Login page , Default id is ‘admin’ and password ‘password’

**if you are having hard time setting up DVWA environment in kali or other vm, you can easily download virtual image of DVWA (.iso file).

Hacking other network or system is illegal and considered as crime. I am not responsible for what you do with this information. This blog is for educational purposes only.

Recent Posts: Info In Security

Kioptrix level 2 Vulnbub is perfect place to practice hands-on experience for pen-test. I personally recommend do most of vulnhub lab before registering PWK(OSCP) course. Kioptrix level 2 : https://www.vulnhub.com/entry/kioptrix-level-11-2,23/ Easily download the virtual machine image from the link, set up the network into Bridge or NAT (depends on your preference) (kioptrix level2 img) 0. […]

https://www.hackthebox.eu/ To signup the ‘Hack the Box’ website needs to find “invite code”. First, find the missing/hidden information on the page. You can easily edit HTML elements with developer tools, which will show on your browser by pressing key F12. You can see the token value is changing whenever refreshing the page. Sadly, token […]

Started at 20th Oct and ended on 22nd. Unlike other CTF that you can easily submit flag value on web, PWN2WIN 2017 CTF ask us to submit flag value via github. So we spent 2 or 3 hours to setup that environment (getting ssh, getting team’s key..) but it was fun!! For CTF questions, you […]

Search

Search for:

Text Widget

This is a text widget, which allows you to add text or HTML to your sidebar. You can use them to display text, links, images, HTML, or a combination of these. Edit them in the Widget section of the Customizer.